[openssl-commits] [web] master update

Matt Caswell matt at openssl.org
Thu Feb 16 12:05:21 UTC 2017 

The branch master has been updated
       via  53ec621aa94b3b9f75cb2012178fed494819de4d (commit)
      from  e088c8bb8449c3613e41a5200acbd56cd23268b8 (commit)


- Log -----------------------------------------------------------------
commit 53ec621aa94b3b9f75cb2012178fed494819de4d
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Feb 16 11:54:10 2017 +0000

    Update newsflash and vulnerabilities.xml

-----------------------------------------------------------------------

Summary of changes:
 news/newsflash.txt       |  1 +
 news/vulnerabilities.xml | 20 +++++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/news/newsflash.txt b/news/newsflash.txt
index a32903f..1a66cde 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,7 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+16-Feb-2017: OpenSSL 1.1.0e is now available, including bug and security fixes
 13-Feb-2017: New Blog post: <a href="https://www.openssl.org/blog/blog/2017/02/13/bylaws/">Project Bylaws</a>
 13-Feb-2017: New <a href="https://www.openssl.org/policies/bylaws.html">OpenSSL Bylaws</a> published
 13-Feb-2017: OpenSSL 1.1.0e <a href="https://mta.openssl.org/pipermail/openssl-announce/2017-February/000095.html">security release due on 16th February 2017</a>
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 6c32b4c..3d759a8 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -5,7 +5,25 @@
      1.0.0 on 20100329
 -->
 
-<security updated="20170126">
+<security updated="20170216">
+  <issue public="20170216">
+    <impact severity="High"/>
+    <cve name="2017-3733"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <affects base="1.1.0" version="1.1.0c"/>
+    <affects base="1.1.0" version="1.1.0d"/>
+    <fixed base="1.1.0" version="1.1.0e" date="20170216"/>
+    <description>
+      During a renegotiation handshake if the Encrypt-Then-Mac extension is
+      negotiated where it was not in the original handshake (or vice-versa) then
+      this can cause OpenSSL to crash (dependent on ciphersuite). Both clients
+      and servers are affected.
+    </description>
+    <advisory url="/news/secadv/20170216.txt"/>
+    <reported source="Joe Orton (Red Hat)" />
+  </issue>
   <issue public="20170126">
     <impact severity="Moderate"/>
     <cve name="2017-3731"/>

More information about the openssl-commits mailing list